In order to run sandboxed apps, it seems that streaming the GUI from a server via a VNC tunnel is the best idea. In order to do so, a CentOs server will be configured.
The ACL added to the default permissions will be configured as needed in order to allow a teacher to only add or edit a file and a student only edit it. Running a docker container with persistence allows the volume to write on the native filesystem only if allowed to.
Furthemore, running applications from a school’s server allows to control the stable network connection. As far as a user maintain a connection to the school’s network (via VPN works also), the access to the resources will be given.
As soon as the connection drops, the access is removed and it can be resumed when connecting but unsaved changes will be lost